Install command
Not provided
Source-backed rules for reviewing AI-generated JavaScript/TypeScript code before merge for prototype pollution risk, covering unsafe recursive merge/clone/assign helpers on untrusted input, proto and constructor-prototype key handling, and safer alternatives like Map, Set, and Object.create(null).
Open the source and read safety notes before installing.
Source-backed facts for citing this resource, derived directly from the registry — also available as plain text for AI assistants.
Decision playbook
Signals are present but mixed. Use the checklist below to confirm the source and operational safety for your environment.
0
78
—
No baseline selected
No major trust-signal divergence detected in the current selection.
Confirm ownership and provenance before trusting install instructions.
Source link availableRequired
Open the canonical repository and verify ownership.
Source provenance statusRequired
Marked as source-backed.
Metadata reviewed
Registry metadata indicates a reviewed listing.
Validate risk disclosures before installation or API wiring.
Safety notes presentRequired
Review the listed safety guidance before running commands.
Privacy notes presentRequired
Review data handling notes before connecting accounts or secrets.
Trust level risk gateRequired
Trust level does not block evaluation.
Check package metadata and artifact integrity signals.
Install payload available
Install or copy payload is available for review.
Package verification flag
No package verification flag provided.
Checksum metadata
No checksum provided for downloaded artifact.
Use compare context to validate trade-offs before adoption.
Compare tray has multiple entries
Add at least one more entry to compare trust differences.
Baseline comparison available
No baseline peer selected yet.
Diverging trust signals identified
No major trust-signal divergence found.
Setup at a glance
Copy-ready — paste the snippet to get started.
Install command
Not provided
Config snippet
Not provided
Copy snippet
Provided
Prerequisites
4 to clear
Platforms
1 listed
Install type
Copy & paste
Adoption plan
Current risk score 16/100. Use staged verification before broader rollout.
Validate source and review signals before any execution.
Confirm source provenanceRequired
Source URL/provenance metadata is present.
Confirm metadata review state
Listing has review metadata.
Verify install payload
Install/config payload exists and can be inspected.
Confirm safety, privacy, and package integrity signals.
Review safety notesRequired
Safety notes are present.
Review privacy notesRequired
Privacy notes are present.
Verify package integrity metadata
No package verification/checksum metadata.
Adopt in controlled steps based on the selected plan.
Run in isolated sandbox firstRequired
Use a constrained sandbox and observe behavior across multiple tasks.
Roll out graduallyRequired
Roll out to a small cohort before wider usage.
Set monitoring and fallback
Define rollback path and monitor errors after adoption.
Evidence readiness
Required evidence gates are covered (5/6 signals complete).
Source repository/provenance is listed.
Required in this preset
Review metadata is present.
Required in this preset
Safety notes are present.
Required in this preset
Privacy notes are present.
Optional in this preset
Package integrity metadata is missing.
Optional in this preset
Install payload is available.
Required in this preset
Required evidence gates are covered for this preset.
Decision timeline
5/6 steps complete with no blocking gaps for this preset.
triage
Source/provenance metadata is available.
triage
Review metadata is available.
verify
Safety notes are available.
verify
Privacy notes are available.
verify
Package integrity metadata is missing.
rollout
Install payload is available.
No required blockers for this timeline preset.
Prerequisite readiness
4 prerequisites to line up before setup.
Safety & privacy surface
3 safety and 2 privacy notes across 3 risk areas. Review closely: network access.
You are reviewing AI-generated JavaScript/TypeScript code for prototype
pollution risk.
Rules:
1. Identify every recursive merge, deep-clone, deep-assign, or "set a
nested path from a string" helper the change adds or edits, and
whether the source object's keys can be influenced by user input
(request body, query string, parsed JSON/YAML, a config file a user
can upload).
2. Flag any such helper that copies keys without excluding `__proto__`,
`constructor`, and `prototype` — a key named `__proto__` in the
source object, or a nested `constructor.prototype` path, can let an
attacker write properties onto `Object.prototype` itself, affecting
every object in the process.
3. Prefer `Map`/`Set` over a plain object literal for any untrusted
key-value data — `Map`/`Set` have no prototype chain to pollute for
the keys/values they store, unlike `{}`.
4. When a plain object is required, create it with `Object.create(null)`
(no inherited prototype) rather than `{}`, or use `{ __proto__: null }`
as a last resort when `Object.create` isn't available in context.
5. Do not trust a hand-rolled recursive merge/clone as automatically
safe just because it looks similar to a well-known library function;
confirm it explicitly denies `__proto__`/`constructor`/`prototype`
keys at every recursion level, not just the top level.
6. Treat any dependency that performs deep merging, cloning, or templating
on external input (config-merging libraries, deep-set-by-path
utilities) as needing a version check against known prototype
pollution advisories for that library, not just an assumption that
"it's a popular package so it's safe."Use these rules when an AI coding assistant writes or edits JavaScript or
TypeScript code that recursively merges, deep-clones, or assigns properties
from an object built from untrusted input. The goal is to stop a generated
config-merge, deep-clone, or "set a nested path from a string" helper from
letting an attacker pollute Object.prototype (or another built-in
prototype) and silently change behavior across the whole application.
This is a review policy, not a prototype-pollution tutorial. It tells reviewers what must be true about a generated change's object-merging code before the change is safe to merge.
Collect enough context to know which objects are merged/cloned and where their keys come from.
{}) or Map/Set are used to hold
untrusted key-value data.__proto__,
constructor, and prototype as keys at every recursion level, not just
the top level of the object.Map/Set over a plain object literal for any collection built
from untrusted keys — they have no prototype chain for attacker-supplied
keys to pollute, unlike {}.Object.create(null)
so it has no inherited prototype, or use { __proto__: null } as a
fallback when Object.create isn't available in that context.Object.freeze()/Object.seal() on built-in prototypes as an
additional defense-in-depth layer, understanding it can break libraries
that legitimately extend built-ins, so apply and test it deliberately
rather than blanket-applying it.--disable-proto=delete flag removes the __proto__
accessor entirely as a defense-in-depth measure; note it does not stop
pollution via constructor.prototype, so it complements rather than
replaces the merge/clone guards above.Block merge when any of these is true.
__proto__, constructor, and prototype keys at
every level.Map/Set or Object.create(null) would avoid the prototype-chain risk
entirely, with no documented reason for the plain object.AI assistants can write and review object-merging code, but they should show their evidence.
__proto__/constructor/prototype keys, not just assert the helper is
"safe."__proto__ or
constructor.prototype payload.constructor or prototype needs to be
stored: use a Map for that data instead of a plain object, so the key
name has no special meaning.Object.freeze() on a built-in prototype breaks a library: that
library legitimately extends the built-in; scope the freeze more
narrowly or drop it, and rely on the merge/clone-level guards instead.{"__proto__": {"polluted": true}} or
{"constructor": {"prototype": {"polluted": true}}} payload and asserts
({}).polluted remains undefined afterward.Before adding a new merge/clone/deep-assign helper, confirm the codebase does not already have a shared, guarded utility for this. A generated change that adds a new hand-rolled merge function next to an existing guarded shared helper should be treated as suspicious — check whether the existing mechanism was simply not reused before introducing a second, possibly unguarded one.
| Pattern | Risk | Fix |
|---|---|---|
Recursive merge(target, source) with no key filter |
{"__proto__": {...}} pollutes Object.prototype |
Explicitly skip __proto__/constructor/prototype at every level |
defaultsDeep-style deep-defaults on user input |
{"constructor": {"prototype": {...}}} pollution (CVE-2019-10744 pattern) |
Guarded merge helper or a patched, current library version |
Untrusted data stored as {} |
Inherits from Object.prototype |
Map/Set, or Object.create(null) |
| Old deep-merge dependency, never version-checked | May carry a known, patched prototype-pollution CVE | Pin/upgrade to a version with the fix, verify via its advisory |
Show that AI-Generated Prototype Pollution Review Rules is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.
[](https://heyclau.de/entry/rules/ai-generated-prototype-pollution-review-rules)AI-Generated Prototype Pollution Review Rules side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.
1 trust signal differ across this comparison (Submitter).
| Field | Source-backed rules for reviewing AI-generated JavaScript/TypeScript code before merge for prototype pollution risk, covering unsafe recursive merge/clone/assign helpers on untrusted input, proto and constructor-prototype key handling, and safer alternatives like Map, Set, and Object.create(null). Open dossier | Source-backed rules for reviewing AI-generated request handlers and forms before merge for cross-site request forgery risk, covering state-changing method discipline, anti-CSRF token correctness, SameSite cookie posture, origin and referer checks, and safe handling of cookie-based sessions. Open dossier | Source-backed rules for reviewing AI-generated endpoints and data-access code before merge for insecure direct object reference risk, covering per-request object-level authorization checks, scoped database lookups, identifier exposure, and consistent enforcement across read, write, and admin operations. Open dossier | Source-backed rules for reviewing AI-generated code that deserializes data before merge for insecure deserialization risk, covering native serialization formats (pickle, PyYAML, Java Serializable) that can execute arbitrary code on untrusted input, safe data-interchange alternatives, and class allowlisting/integrity checks when native formats can't be avoided. Open dossier |
|---|---|---|---|---|
| Next steps | ||||
| Trust | ||||
| Review status | ReviewedMaintainer reviewed | ReviewedMaintainer reviewed | ReviewedMaintainer reviewed | ReviewedMaintainer reviewed |
| Package trust | Package not verified | Package not verified | Package not verified | Package not verified |
| Source provenance | Source-backed | Source-backed | Source-backed | Source-backed |
| SubmitterDiffers | lourincedaging0-commits | jaso0n0818 | lourincedaging0-commits | lourincedaging0-commits |
| Install risk | Review first | Review first | Review first | Review first |
| Notes | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ |
| Brand | — | — | — | — |
| Category | rules | rules | rules | rules |
| Source | source-backed | source-backed | source-backed | source-backed |
| Author | lourincedaging0-commits | jaso0n0818 | lourincedaging0-commits | lourincedaging0-commits |
| Added | 2026-07-15 | 2026-06-22 | 2026-07-15 | 2026-07-15 |
| Platforms | Claude Code | Claude Code | Claude Code | Claude Code |
| Source repo | — | — | — | — |
| Safety notes | ✓Prototype pollution lets an attacker add or overwrite properties on Object.prototype (or another shared built-in prototype), which can silently change behavior across the entire application — from denial-of-service and logic bypasses to, in some frameworks/environments, remote code execution. AI assistants often write a straightforward recursive merge/deep-clone/deep-set helper (a natural, short implementation for combining config objects or request bodies) without excluding __proto__/constructor/prototype keys, because the happy-path test data never includes those key names. This is a real, repeatedly-exploited class in widely-used JavaScript libraries, not a theoretical concern — for example CVE-2019-10744 in lodash's defaultsDeep allowed Object.prototype pollution via a crafted {constructor: {prototype: {...}}} input. | ✓A missing CSRF defense lets a malicious page perform state-changing actions as a logged-in user — transferring funds, changing email or password, or deleting data — using the victim's ambient cookies. AI assistants often generate handlers that work in tests yet omit token validation or perform state changes on GET, because the happy path succeeds without any forged cross-site request. Relying on SameSite cookies alone is not sufficient: defaults vary, Lax still allows top-level GET navigations, and some clients or legacy browsers do not enforce it. | ✓A missing object-level authorization check lets any authenticated (or sometimes unauthenticated) user read, modify, or delete another user's data by changing an identifier in the request — accounts, documents, orders, invoices, and support tickets are common targets. AI assistants often generate a correct-looking handler for the current user's own data and skip the cross-user check entirely, because the happy-path test only ever exercises the requester's own objects. Switching to random/UUID identifiers reduces guessability but is not an authorization control; do not accept it as a substitute for a server-side ownership or permission check. | ✓Deserializing untrusted data with a native format's full-featured API (pickle, unsafe YAML, Java Serializable, PHP unserialize) can cause denial-of-service or remote code execution — the vulnerability triggers during deserializing itself, before any application logic runs on the result. AI assistants often reach for the most convenient deserialization call (pickle for Python object graphs, yaml.load for config-like YAML, ObjectInputStream for Java) without checking whether the input is trusted, since developer-controlled test data works regardless of which API is used. An integrity check (signature/MAC) added after deserialization already ran does not help — the attack happens during deserialization, so the check must gate the deserialization call itself, not just the object it produces. |
| Privacy notes | ✓Prototype pollution proof-of-concept payloads can trigger unexpected application-wide behavior in a shared environment; test in an isolated sandbox, not a shared staging or production system. Do not commit a working exploit payload targeting a specific internal endpoint into a public PR or issue; describe the vulnerable merge pattern and the class of key involved instead. | ✓CSRF tokens are security credentials; do not paste real tokens, session cookies, or production request captures into public PR comments or issues. Use synthetic accounts and redacted requests when demonstrating a CSRF proof of concept, and avoid attaching real user identifiers. Be careful that anti-CSRF tokens are not written into URLs, analytics, or logs, where they can leak through referer headers or shared dashboards. | ✓IDOR proof-of-concept testing can expose another account's real data; use synthetic test accounts and synthetic objects rather than real user records when demonstrating the issue. Do not paste real user identifiers, documents, or other objects retrieved during testing into a public PR or issue; redact or replace them with placeholders. Server-side logs and error messages for a denied access attempt should avoid echoing back the unauthorized object's contents, only that access was denied. | ✓Deserialization proof-of-concept payloads (e.g. a crafted pickle or Java serialized stream) can trigger real code execution in a test environment; run them only in an isolated, disposable sandbox, never against a shared or production system. Do not commit real crafted exploit payloads, credentials, or internal class/package names discovered while testing into a public PR or issue; describe the vulnerable pattern instead of attaching a working exploit. |
| Prerequisites |
|
|
|
|
| Install | — | — | — | — |
| Config | — | — | — | — |
| Citations | ||||
| Claim | Unclaimed | Unclaimed | Unclaimed | Unclaimed |
Source-backed guides for putting this to work.
Review AI-generated pull requests with repeatable security, test, and evidence checks.
Loading live community signals…
A short, calm digest of reviewed Claude resources. Unsubscribe any time.